IT And Compliance: Friends Or Foes

By Mardik Mardinoglu
Compliance and regulation are negative words in the IT world and in a capitalistic society in general. They sound like anti-freedom, bureaucracy, inefficiency, and high short-term costs with a little or no benefit.

Sep 26, 2005
By

ITSM Watch Staff

In the ideal business world, who needs regulations? I sincerely share the concerns of those who oppose regulations despite the fact that I would have to change my career in such a case. Unfortunately, however, we do not live in the ideal world, and in today's business environment, experience has repeatedly shown us that some corporate boards fail to act in due professional care, and cause serious damages to investor confidence and hence, to our economy.

Have you realized how often we get the news of corporate malpractices, identity theft incidents, privacy violations, and so on? The bad news for the folks who still think that regulations hurt the economic freedom is that the era of self-regulation is, unfortunately, long gone. We are in the era of regulations, and whether we like it or not, all of us have to learn to live with them.

And the good news is that organizations can tremendously benefit by approaching compliance with a positive attitude. Having to comply with regulations can provide many opportunities to continuously improve business processes, which may lead to better-run organizations.

In this article, we will explore why compliance has been so difficult for IT and common mistakes in approaching it. We will also look at the common elements for compliance and how IT can benefit from it.

IT and Compliance: Can they go together?
To many ears, the words IT and compliance do not sound like going together. Many IT managers believe that compliance efforts are non-differentiating activities (NDAs)(2), and while they want to sprint the 100 meters in technology and give a competitive edge to their organizations, compliance acts like a strong wind slowing them down with no tangible returns.

There are many reasons why IT dislikes regulations. First of all most regulations are open to interpretations, because regulatory bodies describe what they want, not how they want it done. There is no consistency within IT about how to achieve compliance with different regulations.

While some organizations overkill compliance, some others do the minimum just to look compliant. It is easy to find many IT managers wondering about how to get compliant with multiple regulations depending on their industry. It sure is a very complicated problem, and this leads them to hire compliance and security consultants, which is the most expensive item in budget for any compliance project.

And, willingly or unwillingly they make all the effort, go through some frustration, and finally achieve compliance, but then what? When are they going to realize the returns for all their efforts? At an unknown future when the regulators happen to make a surprise visit to the organization for an audit. To make things worse, compliance is not a one-time business, but an ongoing activity.

Achieving compliance is easier than sustaining it. And finally, the typical "get it done; ASAP! Worry about everything else later" characteristic of the general IT culture makes it even more difficult to promote compliance in IT. All these reasons generate a great resistance against operating in compliance with laws and regulations.

By looking at the above paragraph, one may conclude that IT and compliance are like fire and gasoline. However, I argue that, if approached correctly, IT and compliance can co-exist, and IT and the overall organization will benefit from compliance.

Why and How to Achieve and Sustain "IT Compliance"(3)?
The obvious reason for IT compliance is to obey laws and regulations, avoid fines and public embarrassment, and keep the stakeholders happy. This is the ultimate goal of complying with laws and regulations, so that your organization passes a regulatory inspection while the competitors get hit with large fines and bad publicity.

But there is another benefit of IT compliance, and in fact, without realizing this benefit, it cannot be truly achieved and sustained. It is that compliance will result in a proactive, efficient and effective IT organization with complete control over its operations via documented and dynamically changed processes, policies and procedures.

Therefore, IT should see the big picture and should view compliance from these two aspects. Although, it is totally legitimate for IT organizations to use band-aid solutions to just pass the audits, they cannot achieve and sustain the true compliance with this approach. This philosophy may cost less in the short run, but in fact it becomes more expensive in the long term, because compliance must be re-established every time a new regulation is enacted or a regulatory audit is looming on the horizon. This means more consulting dollars to spend, more frustration and pain to go through, and IT ends up creating show-off controls and fancy documents that add no values to the organization; processes are not improved and the business is conducted as usual.

On the other extreme end some IT organizations choose to be on the safe side and try to comply with every item in regulations whether they apply to them or not. In addition, they treat each regulation as a separate issue to address, so they end up having duplicate controls and documentation for the overlapping aspects of multiple regulations. This situation generates so much red tape that it becomes unbearable to follow the procedures, and results in a big resistance to compliance. These organizations spend a lot of resources with good intentions, but in return, they get frustrated employees, by-passed controls, bureaucracy, and defective compliance.

The first necessary condition for smart IT compliance is the senior management support. IT senior management has to lead by example and inject compliance-awareness into the organizational culture, and constantly communicate and promote it throughout the IT. If this condition does not exist, the efforts at the local level can only have limited benefits, and IT may fall into the trap of sweeping the dust under the carpet and just look compliant. But as important as the senior management support is the cooperation of the IT operational staff. Since they are the performers of daily IT activities, their support for changes that come with regulatory requirements is essential. Human factor plays a big role in compliance in general, and therefore, we cannot say that compliance is a top-down or a bottom-up initiative; it has to be everybody's business from a senior executive to a help desk analyst.

After the IT senior management and staff support is secured, all the compliance requirements that concern IT should be analyzed, and the scope and dosage of regulations to comply with should be assessed. Do not do more than what is required unless doing extra makes sense as a "good practice," but do "what is required" the way it adds value to your IT organization.

Then, overlapping regulatory requirements should be determined, so that only one control is developed to address the same requirement in multiple regulations. A controls inventory should be prepared, so that the gaps between the current environment and regulatory requirements can be assessed. The controls that may address some of those requirements should be identified, new controls should be implemented if necessary, and the redundant ones should be eliminated. This activity alone will help IT to become leaner and more efficient.

Speaking of the overlapping requirements, special attention should be paid to two items that almost every regulation promotes and asks for: Control and accountability. The IT management has to know who does what, why, when, and how. The key to achieve control and accountability is process-oriented operations and staff. If IT does not have control over its assets, processes, and resources, then it simply cannot comply with any regulations.

Of course, nobody debates the importance of getting a new router up and running as soon as possible, but the conscious network administrator has to know the benefit in following documented processes to perform that task.

Linked to control and accountability, regulatory authorities also look for evidence that you do what you say, and say what you do. Therefore, documentation is a key for true compliance. IT has to have strong documentation capabilities to document their processes, policies and procedures. Besides compliance, documentation is needed to transfer knowledge to establish a stable environment. IT policies and procedures must be developed with full participation of the IT employees. If technical writers develop procedures in a vacuum based on best practices, then produced documents may be far from the reality that IT staff experiences everyday, and this may lead to a resistance to follow the new procedures.

After all these changes in IT culture and processes, compliance must be enforced by continuous training and communication. Depending on the size of the organization, formal or informal compliance training must be delivered to IT personnel, so they become aware about the changes in IT processes, policies, and procedures. Bypassing controls should not be tolerated. Corrective and preventive actions from issuing warnings to suspension and termination of the habitual offenders should be employed.

No matter how skillful and knowledgeable an employee is, if s/he does not want to follow the procedures without any good reasons, then it means that s/he is not good enough for the organization. On the contrary, employees who perform their tasks as per the newly implemented processes must be rewarded for their cooperation.

Like in any management activity, IT compliance management also requires constant monitoring. Compliance levels must be assessed with a dashboard including metrics such as number of internal controls, number of compliant processes, number of open items, process cycle times, etc. The state of compliance will not stay the same; it will shift over a period of time, so continuous measurement will help IT to sustain compliance by taking timely measures when the shift occurs.

None of the items above are genuine ideas. They are just the foundation of sound organizational governance, and that is exactly what all regulations require: Sound governance practices with responsible management. Although this approach has high upfront costs, IT organizations who build their compliance based on these principles will be better off in the long run, because, not only will they be able to sustain compliance with the current regulations, but also they will easily comply with the future ones.

Love it or Leave it
The business environment has dramatically changed after the recent corporate governance scandals. The new wave of laws and regulations has naturally impacted IT since today we execute almost all of our business transactions through computerized systems. This is a whole new challenge for IT, because compliance used to be the concern of the few who would operate in a regulated industry, but today, it is the concern of all industries.

While some regulations only cover some specific industries, such as the U.S. FDA's (Food and Drug Administration) 21 CFR Part 11, Electronic Records and Electronic Signatures for the pharmaceutical industry, others cover multiple industries, such as the Sarbanes-Oxley Act for all publicly traded companies in many different industries. In addition, some companies subject to multiple regulations, which makes compliance a more complicated business.

Noncompliance is not an option, because it has serious consequences, such as public embarrassment, loss in revenue and market-share, fines, inefficient processes, and most importantly at an individual level, nightmares at nights.

IT has always appeared to have difficulties in complying with laws and regulations, and many IT managers see compliance efforts as NDAs, but I argued in this article that if approached correctly, compliance activities could be DAs (Differentiating Activities), adding value to IT.

Besides avoiding fines and positive public image, in the long-run compliance can differentiate an organization from its noncompliant competitors in cost reductions, efficiency and effectiveness, increased productivity, and a proactive culture. IT should perceive compliance as a seamless opportunity to take a step back and analyze how it operates, along with obeying laws and regulations.

Some IT organizations tend to take a light approach and do the minimum, and some others do more than what regulations require, but the balanced approach to IT compliance should contain the following common elements regardless of regulation and industry:

Human Element: The whole organization should commit to compliance and support it.

Assess which ones apply: Analyze each requirement that the company is subject to, and determine their applicability to IT.

Identify their scopes and overlapping requirements: Overlapping requirements can be addressed by implementing a single control. In addition, analyze your existing ones, so they may be utilized to address some of the requirements. Also develop new controls and eliminate the redundant ones as needed.

Establish control and accountability: Although each regulation has a different language, they all promote control and accountability.

Documentation: Do what you say, say what you do.
Enforce compliance and reward employees: Constantly communicate and provide continuous training on IT compliance, and policies and procedures.

Measure the compliance level: A dashboard must be developed to monitor the compliance level over time.

Although, the high upfront costs associated with implementing or improving these concepts is very unattractive, IT organizations with these items in place will save on compliance costs in the long run, because, they will be able to easily address the current and the future regulatory requirements as well. In addition, improved processes will lead to automation and more productivity in IT.

I truly acknowledge that operating under tough regulations is not fun, and I sincerely hope that one day, IT and business in general will have to deal with fewer regulations, and companies will strive to increase their shareholder values only with honest and sound business practices.

Mardiros (Mardi) Merdinoglu is an IT compliance/validation consultant with a mix of technology and management backgrounds. He helps IT departments to generate value from compliance activities, and attain/sustain compliance with a number of industry regulations (e.g. FDA / 21 CFR Part 11 for pharmaceutical industry), hence reducing compliance costs. Effective/efficient IT management and IT auditing are other topics he is passionate about.

The term IT (Information Technology) is used as a general substitute for "IT departments"

The term is taken from the article "10 Costly Compliance Mistakes and How to Avoid Them," IT Compliance Institute (www.itci.com)

The term "IT compliance" is used to cover only the business regulations that affect IT.